Go Back

Leaky SMB File Shares – So Many Bytes!

June 19, 2019
Leaky SMB File Shares – So Many Bytes!

Everyone loves a sequel. If you’re an avid Marvel fan, you’re probably sitting on the edge of your seat waiting for your fix of new movies. If you’re a Harry Potter fan, you may be wondering when J.K Rowling is going to pick up her pen. In the entertainment industry, fans look forward to a sequel with eager anticipation. While fans may be itching to see sequels produced by the entertainment industry, security practitioners may dread research sequels by our Digital Shadows Photon Research Team. Recently, we found 2.3 billion files exposed across online file storage technologies – and that’s 750 million more files exposed than we reported last year.

A less tantalizing sequel, perhaps? Well, we certainly don’t expect Hollywood to buy the rights to this report soon. But for the cybersecurity community, this research shows there are several developments – both positive and negative – in the data exposure landscape.

 

Here’s what 2.3 billion files exposed looks like

  • Using proprietary research technology, the Photon research team detected 2.3 billion files exposed across online file stores like Amazon S3 buckets, SMB-enabled file shares, and NAS drives.
  • Of those files, the United States had the highest amount of exposure across online file repositories, leaving over 326 million files exposed.
  • Countries in the European continent collectively exposed the highest number of files, accounting for over 1 billion. France accounted for 151 million, while the United Kingdom claimed 98 million.
  • Of the 28 European Union state members, only two countries experienced a drop in the number of files exposed: Luxembourg and the Netherlands.
  • The Server Message Block (SMB) protocol exposed the most data among the technologies we analyzed. File Transfer Protocol and rsync servers claimed 20 percent and 16 percent of the exposure detected, respectively.
  • Having found 16 million files coming from S3 buckets in October 2018, we detected fewer than 2,000 such exposed files in May 2019.

 

SMBody ate the pie

Overall, SMB – a protocol used for sharing files on internal networks, mainly on the Windows platform – took a larger share of the pie, doubling its overall file share exposure. FTP and rsync servers followed closely behind accounting for 20 percent and 16 percent of the exposure detected, respectively.

The story around Amazon S3 buckets is quite the opposite; though the overall volume of file exposure increased over the last year, there was a noticeable decline in ongoing exposure.

 

Number of files being exposed by Amazon S3 buckets over the past year

Figure 1: Number of files being exposed by Amazon S3 buckets over the past year

 

This comes as no surprise as Amazon’s new feature Block Public Access was introduced in November 2018, seeming to quell the consistent leakage of S3 buckets. Such a move by Amazon demonstrates the sheer power of a secure default – so, could such a simple security default also benefit other file sharing platforms?

SMB, FTP, rsync servers and NAS drives already have security defaults built into their products, whether that’s in the form of encryption or authentication. For example, Microsoft outlines that the SMB protocol can be secured at a user and share level.

The availability of these security mechanisms indicates that the issue is not a lack of authentication options on offer, but rather a lack of uptake when it comes to implementing these authentication methods.

 

SamSam discovery

This research also identified that 17 million files had been held hostage by various ransomware variants. Although we detected several variants of ransomware encrypted these files, one in particular, caught our attention: SamSam. If the name rings a bell, you may recall in our paper A Tale of Epic Extortions, Photon detailed how the “SamSam” ransomware operators gained access to victim networks and held sensitive data hostage. Within our data analysis, we identified a commonly known SamSam extension (.otherinformation) appended to files within exposed file stores. The attacks we identified had not been previously reported publicly, adding an interesting discovery to our research.

 

Accounting for inadvertent exposure

Explaining the increase of exposure across SMB, FTP, rsync servers and NAS drives is complex, but we outline some potential indicators:

  • Lack of awareness: Individuals may not be clued up when it comes to securing file devices. Many people may upload files without thinking these storage devices are exposed. Such a problem can be easily solved by better education and training around these risks.
  • Ease of use: When it comes to file sharing, individuals may be prioritizing ease of use over security. But it doesn’t have to be a trade-off – security can be embedded into the experience of a product,
  • Legacy IT: Legacy systems lack the sensible security defaults – as security simply wasn’t designed into these file sharing products at the time. What’s more, our research has shown that people are continuing to use legacy IT systems alongside newer ones. For example, we identified NAS drives (hosting data) that were over 15 years old, but still online. Without the security upgrades in place, individuals are inadvertently sharing their data and leaving themselves open to risk.

This recent research shows that keeping pace with these interconnected file storage devices can be difficult – especially at an operational level. The number of these file storage devices is only going to grow, as new devices come online and old ones remain switched on.

Without the right security controls in place, this inadvertent data exposure can be challenging to track – though not an entirely impossible one to control.

 

How Digital Shadows Can Help

Digital Shadows SearchLight™ enables organizations to detect data loss. With SearchLight, organizations register their document marking systems, email headers, and intellectual property. SearchLight then continually monitors for these assets across the open, deep, and dark web to detect where this data is exposed. Each alert includes recommendation actions, including the ability to launch takedowns from within the SearchLight portal.

You can check out our Data Loss Detection overview also to learn more:
Data Loss Detection Overview

 

And if you want to keep updated on the latest research our team produces – subscribe to join our email list ✉️

Start Free 7-Day Test Drive of SearchLight
Start Test Drive